Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 218933 (CVE-2008-1671)

Summary: kde-base/kdelibs <3.5.8-r4 start_kdeinit multiple vulnerabilities (CVE-2008-1671)
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: jer, kde
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.kde.org/info/security/advisory-20080426-2.txt
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
patch for KDE 3.5.5 - KDE 3.5.9
none
kde-base/kdelibs/kdelibs-3.5.8-r4.ebuild none

Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-22 19:33:13 UTC
Please note that this issue is under embargo until 2008-04-25. *Do not commit*
anything to CVS and keep any information confidential until that date.

Advisory Draft

1. Systems affected:

	start_kdeinit of KDE 3.x as of KDE 3.5.5 or newer. KDE 4.0
	and newer is not affected. Only Linux platform is affected.


2. Overview:

	start_kdeinit is a wrapper to launch kdeinit with a lower OOM
	score on Linux. This helper is used to ensure that a
	single KDE application triggering the Linux kernel OOM killer
	does not kill the whole KDE session. By default,
	start_kdeinit is installed as setuid root. The start_kdeinit
	processing of user-influenceable input is faulty.

3. Impact:

        If start_kdeinit is installed as setuid root, a local user
        might be able to send unix signals to other processes, cause
        a denial of service or even possibly execute arbitrary code.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-22 19:35:33 UTC
Created attachment 150638 [details, diff]
patch for KDE 3.5.5 - KDE 3.5.9
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-22 19:37:49 UTC
Please prepare an ebuild with the patch and put it up here so we can call the arch security liaisons to test it. 

Do not commit anything to CVS before this has been made public.
Comment 3 Ingmar Vanhassel (RETIRED) gentoo-dev 2008-04-23 12:24:00 UTC
Created attachment 150693 [details]
kde-base/kdelibs/kdelibs-3.5.8-r4.ebuild

Ebuild attached, the patch posted earlier goes in as files/kdelibs-3.5.8-kinit-CVE-FIXME.patch
The 3.5.9 ebuilds will get the same treatement, when I'm allowed to commit.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 15:46:47 UTC
Use CVE-2008-1671 when committing then.

Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-24 03:12:11 UTC
That's OK for HPPA.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-04-24 08:55:40 UTC
Looks okay on alpha/ia64/sparc/x86
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2008-04-24 16:35:32 UTC
looks good on ppc64
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-24 19:00:41 UTC
good to go on ppc
Comment 9 Wulf Krueger (RETIRED) gentoo-dev 2008-04-26 21:06:27 UTC
As asked for by welp I've tested on amd64 on which it's fine, too.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-04-27 10:12:02 UTC
This is public via $URL. KDE, please commit to the tree straight to stable for the arches that reported back. Thanks, everyone.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-28 12:34:18 UTC
I am well aware I am no member of the KDE project, but since it's a right mess at the moment I have committed Ye Ebuilde And Patche to the tree.

# ChangeLog for kde-base/kdelibs
# Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2
# $Header: /var/cvsroot/gentoo-x86/kde-base/kdelibs/ChangeLog,v 1.523 2008/04/28 12:32:23 jer Exp $

*kdelibs-3.5.8-r4 (28 Apr 2008)

  28 Apr 2008; Jeroen Roovers <jer@gentoo.org>
  +files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch, +kdelibs-3.5.8-r4.ebuild:
  Straight to stable (bug #218933).
Comment 12 Ingmar Vanhassel (RETIRED) gentoo-dev 2008-04-28 12:45:05 UTC
(In reply to comment #11)
> I am well aware I am no member of the KDE project, but since it's a right mess
> at the moment I have committed Ye Ebuilde And Patche to the tree.

I was out during the weekend, had Wulf not been retired today, he would've committed what I posted in #c3 first thing in the morning.
~arch done too.
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-04-29 06:26:17 UTC
Fixed in release snapshot.
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-29 12:34:34 UTC
GLSA 200804-30

thanks everyone